More and more transactions involve a user operating a mobile device. A common example of a transaction is a payment transaction, which typically requires the user of a mobile device to provide information for security and/or authentication purposes. Many other types of transactions also require the use of authentication techniques, wherein the user may be required to provide a personal identification number (“PIN”) or the like for authentication purposes when prompted. Due to an increase in fraud, it has become increasingly important to incorporate additional types and/or different types of authentication protocols for improved security when conducting transactions.
The use of passwords to authenticate users, such as consumers, endures despite the growing consensus that the use of passwords needs to be reduced or replaced. Effective public key infrastructure (PKI) and strong authentication solutions have existed for years, but barriers to widespread adoption persist. For example, consumers don't like the user experience associated with PKI and/or strong authentication services, and online service providers balk at the cost and complexity of developing and then provisioning their own dedicated solutions to user devices.
The FIDO (“Fast IDentity Online”) Alliance was created to solve these problems, and has created specifications and certifications that enable the world's largest interoperable ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many applications (“apps”) and websites. This ecosystem includes more than 200 certified products and enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle attacks, and replay attacks using stolen passwords.
FIDO specifications have been developed that include a set of technology-agnostic security specifications for strong authentication. The FIDO specifications support a full range of authentication technologies, including biometric authenticators, such as fingerprints sensors, iris scanners, microphones (for voice recognition), and optical sensors or cameras (for facial recognition). The FIDO specifications also support existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB security tokens, embedded Secure Elements (eSE), smart cards, and near-field communication (NFC). For example, a USB security token device may be used to authenticate using a simple password (such as a four-digit PIN) or by pressing a button. The FIDO specifications emphasize a device-centric model, and authentication over the wire happens using public key cryptography. The user's device registers the user to a server by registering a public key, and to authenticate the user, the device signs a challenge from the server using the private key that it holds. The keys on the device are unlocked by a local user gesture such as a biometric or pressing a button.
Thus, FIDO specifications support multifactor authentication (MFA) and public key cryptography. A major benefit of FIDO-compliant authentication is the fact that users don't need to use complex passwords, don't have to deal with complex strong password rules, and no longer have to endure recovery procedures which may be required of a user when a password is forgotten. Instead of using password databases, the FIDO specification requires personally identifying information (PII), such as biometric authentication data, to be stored locally on the user's device for security purposes. FIDO's local storage of biometrics and other personal identification eases user concerns about personal data being stored on an external server in the cloud, or in some other storage device. By abstracting the protocol implementation with application programming interfaces (APIs), FIDO also reduces the work required for developers to create secure logins for mobile clients running different operating systems (OSs) on different types of hardware.
FIDO specifications provide two categories of user experiences, depending on whether the user interacts with the Universal Authentication Framework (UAF) protocol or with the Universal Second Factor (U2F) protocol. With UAF, the client device creates a new key pair during registration with an online service, and then retains the private key. The public key is registered with the online service, and during authentication the client device proves possession of the private key to the service by signing a challenge. Signing a challenge typically involves a user-friendly action such as providing a fingerprint, entering a PIN, or speaking into a microphone. With U2F, user authentication requires a strong second factor such as a Near Field Communication (NFC) tap, or by connecting a USB security token to the user device. Both FIDO standards define a common interface at the client for the local authentication method that the user exercises. The client can be pre-installed on the operating system or web browser.
Due to the popularity and widespread acceptance and use of the FIDO specifications, FIDO-based authentication servers are becoming a commodity. Thus, many different vendors currently exist which offer FIDO-certified servers as an in-house and/or cloud based solution for clients. For example, one or more payment processing companies have implemented a FIDO server as part of an authentication platform, and therefore some embodiments include tight integration between a MasterCard™ Identity Server (MIS) core platform and a FIDO-certified server hosted on-premises. But if a vendor provides the FIDO server and/or FIDO services to a client, then there may be a strong reliance by the client on one partner (that vendor) which typically also entails licensing and integration costs. Alternately, if the client decides to rely on a custom-built FIDO server implementation, the client must be willing to shoulder FIDO certification costs and ongoing maintenance costs. Thus, it would be advantageous for an entity, such as a payment processing company, to be able to offer a variety of FIDO-certified services to clients in a cost-effective manner, wherein the clients are not required to rely on only one partner and/or are not required to host their own on-premises FIDO-certified server.